Validation of mobile app and cloud servers for data security

racglobal

Involved In Discussions
#1
Hello everyone,

To ensure the mobile app is securely downloaded from an app store such as Google Play or Apple store, how can a team validate the download is secure from Google Cloud servers? How can these cloud servers be validated? Is it assumed that because it's Google, the download must be secure? Thanks.
 
Elsmar Forum Sponsor

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#2
I have no idea, so I asked my IT Director husband. His response: "Google Play and Android apps are not validated by these companies, but Apple validates its apps before making them available."

These apps are publicly contributed and the hosts take no responsibility for them. I would worry more about the app than the cloud servers; reviews can give solid hints. Google is known for pulling apps that get really bad reviews. This is, of course after the fact... the security of your own internet provider and your networks' visibility to others is a different topic altogether.

Therefore, if you want to ensure an Android or Google app is secure, you should first download it onto a segregated unit or drive, test it and then deploy it.

I hope this helps!
 
Last edited:

Marc

Hunkered Down for the Duration
Staff member
Admin
#3
Jennifer is correct, but... 1st: I'M NOT A SECURITY SPECIALIST. Hopefully someone who is can help with specifics with this one.

There are two aspects here that I can think of off hand:
  1. Security in the sense that whether the app its self is "secure" in how it works (such as no data leaks), and
  2. Security in that there is no MITM (man in the middle) or other data corruption issue that can in any way alter a file (which an "app" is).
Let's say you are just downloading an app. If the app provider provides a checksum for the app, you can verify whether or not the content of the app is exactly what is is supposed to be.
Also see: How to verify the checksum of a downloaded file (pgp, sha, etc.)? for some thoughts.
Microsoft's helper: Download Microsoft File Checksum Integrity Verifier from Official Microsoft Download Center
Windows 10's Built In checker: What Is a Checksum (and Why Should You Care)?

But remember, checksums are somewhat analogous to filesystem "fingerprints"- no two should ever be alike, and any modification to the file should change the checksum. But checksums are unsuitable for any kind of security work:
CRCs cannot be safely relied upon to verify data integrity (that no changes whatsoever have occurred), since it's extremely easy to intentionally change data without modifying its CRC.
That's probably because CRC is a simple algorithm designed for speed - not security. A checksum is really just a specific kind of hash. Steve Friedl's Illustrated Guide to Cryptographic Hashes is an excellent, highly visual introduction to the more general theory behind hashing.

NOTE: If the app was not coded well, or if the coder intentionally puts in malicious code, a check sum is useless.

Now as to the "app" its self. As per Jennifer's husband's response: This is the type of thing that pops up several times a year (or so it seems: 22 apps with 2 million+ Google Play downloads had a malicious backdoor and Google Play apps with as many as 2.6m downloads added devices to botnet are two examples - Now, these are apps available to the public. If you are thinking of making/coding an app and posting it somewhere to be downloaded by specific people this shouldn't be an issue.

NOTE: While Apple is quite good, Apple has also found and withdrawn malicious apps - For example, Apple Lists Top 25 Apps Compromised by XcodeGhost Malware and More malicious apps found in Mac App Store that are stealing user data
I am adding to @Jen Kirley 's response to make clear that validation of software, which "apps" are, you need a security specialist. There are quite a few potential security issues that have to be considered.
 

Ed Panek

QA RA Small Med Dev Company
Trusted Information Resource
#4
We use iOS applications but it uses BLE to communicate with our device. BLUETOOTH SPECIFICATION Version 4.2 discusses the redundancy checks inherent in the BLE specification. That is, in order for the device to work it has to verify the checksum of each packet - that's 100% inspection. From our devices perspective, it is promiscuous and just transmits data without any HIPAA information. I have never been asked about this during an FDA audit or 13485 audits.

Technology is changing all the time. If a hospital changes out their routers or ATT repairs a 4G antennae we dont have to revalidate even though the antennae may be new (if we were using that method). We rely upon the specification to control it. Apple and Android have tight controls over application updates, etc. We regularly validate each new iOS sw update that it works. New router firmware at hospitals? No.
 
#5
There are many possible answers to your question depending what is your question. If your concern is : is the app downloaded from the store is the real app from legitimate source? The checksum is clearly the answer it used on most security critical application to avoid fake malicious version. If your question is about the networks transmission. This clearly depend of who is downloading from where. At the end the solution will probably any way the checksum.
 
Thread starter Similar threads Forum Replies Date
J Mobile Medical Device App Validation Guidance vs. GPSV? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
B TMV - Selection of TM's for Validation ISO 13485:2016 - Medical Device Quality Management Systems 5
S Forced ServiceNow validation - No change in our current user and functional requirements IT (Information Technology) Service Management 5
P Human Factors / Usability validation in the time of COVID Human Factors and Ergonomics in Engineering 8
C Template for Excel Validation Reliability Analysis - Predictions, Testing and Standards 5
M IT validation for a paper based MD repair company QMS ISO 13485:2016 - Medical Device Quality Management Systems 6
P Unrealistic Packaging Validation Sample Size 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 13
D Test summary report example for design validation wanted - ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 1
M Is Validation of Plating Processes required and who is responsible? Qualification and Validation (including 21 CFR Part 11) 11
T ISO 13485 - Process validation at critical suppliers ISO 13485:2016 - Medical Device Quality Management Systems 7
K Software Validation for Measurement Tools used in Process Validation ISO 13485:2016 - Medical Device Quality Management Systems 2
Stoic Manual soldering processes - 100% verifiable, or always requiring validation? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 13
P Design verification driven by new equipment. How is this different than process validation? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
S Rees System Validation Qualification and Validation (including 21 CFR Part 11) 1
K PQ validation qualification - Asked to write a PQ protocol ISO 13485:2016 - Medical Device Quality Management Systems 6
Stoic Are any medical device companies using the 2011 FDA process validation guidance instead of GHTF/SG3/N99-10:2004? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
K Old medical devices -> 7.3.7. Design and development validation ISO 13485:2016 - Medical Device Quality Management Systems 1
S SOP for ISO 13485:2016 Quality related Software validation ISO 13485:2016 - Medical Device Quality Management Systems 9
Y Retrospective Validation - Class I device 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 10
S High voltage testing - ISO 17025 - 7.2.2 Validation of methods and 7.3 Sampling ISO 17025 related Discussions 3
M Production approval testing - Alternative ideas for Validation Reliability Analysis - Predictions, Testing and Standards 4
M Validation of two nearly identical products Other Medical Device Regulations World-Wide 5
J Requested Validation plan and reports Manufacturing and Related Processes 4
S Validation Records - Very young QMS Qualification and Validation (including 21 CFR Part 11) 2
M Test method validation - Is MSA (MSA1, MSA2, MSA3 and linearity) a good solution? Medical Device and FDA Regulations and Standards News 1
G Devices from IQ, OQ or PQ process to be used for verification, validation and summative? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 5
K ERP System Software Validation - ISO13485 2016 4.1.6 Design and Development of Products and Processes 8
W ASTM F1929 dye penetration test - Validation for in-house testing ISO 13485:2016 - Medical Device Quality Management Systems 13
Bev D Verification and Validation of Measurement Systems Misc. Quality Assurance and Business Systems Related Topics 0
Y Does Solidworks (2D/3D drafting modules) need validation? Other Medical Device and Orthopedic Related Topics 5
D Software validation in Medical Equipment Other Medical Device and Orthopedic Related Topics 20
K Validation of new machine (second machine of the same type) Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 2
A Literature review/HACCP validation of metal detection Food Safety - ISO 22000, HACCP (21 CFR 120) 0
Y Packaging validation for non-sterile Medical Equipment Other Medical Device Related Standards 1
A Our auditor told if we didn't have a patent we would have to do a validation or verification ISO 13485:2016 - Medical Device Quality Management Systems 6
N Design Verification & Process Validation - Statistical sample sizes Design and Development of Products and Processes 2
E Equipment Qualification - IQ/OQ per ISO 13485:2016 section 7.5.6 Process validation ISO 13485:2016 - Medical Device Quality Management Systems 7
Q Clean Line Validation ISO 13485:2016 - Medical Device Quality Management Systems 6
D 510K and Changes to Verification and Validation US Food and Drug Administration (FDA) 2
H EO Sterilization Validation - Sterility Testing and Load Configuration Other Medical Device Related Standards 1
C Looking for simple Software Validation IQ templates. Qualification and Validation (including 21 CFR Part 11) 4
R Which pieces of equipment require equipment validation? ISO 13485:2016 - Medical Device Quality Management Systems 1
D Validation of existing equipment - Risk based approach example ISO 13485:2016 - Medical Device Quality Management Systems 3
S Validation of eQMS - Cloud based out of the box solution Other Medical Device Related Standards 14
A Reprocessing, Cleaning, Disinfection and Sterilization Validation EU Medical Device Regulations 4
D Validation of existing equipment - I have been asked to write a quality assessment for equipment ISO 13485:2016 - Medical Device Quality Management Systems 13
Ed Panek Label verification and validation US Food and Drug Administration (FDA) 5
D Framing FDA Questions - Validation US Food and Drug Administration (FDA) 1
S Computer System Validation of Bioinformatics Pipeline Qualification and Validation (including 21 CFR Part 11) 5
A Would an MRP system that has been in use for over 10 years require validation? ISO 13485:2016 - Medical Device Quality Management Systems 6
Similar threads


















































Top Bottom